<!doctype html>
<html lang="en-US">
  <head>
<meta name="microsites-utag" content="https://tags.tiqcdn.com/utag/vmware/microsites-privacy/prod/utag.js">
<meta name="onetrust-data-domain" content="b9242434-9feb-47be-a894-3a9e658fdd50">
  <meta charset="utf-8">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link class="user" href="https://www.vmware.com/content/dam/vmwaredesigns/scrapercontent/responsive.css" rel="stylesheet" type="text/css">
  <link rel="shortcut icon" type="image/x-icon" href="https://blogs.vmware.com/security/wp-content/themes/vmware-security-0.2.2/favicon.ico" />
  <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	<!-- This site is optimized with the Yoast SEO Premium plugin v17.1.2 (Yoast SEO v17.1) - https://yoast.com/wordpress/plugins/seo/ -->
	<title>HelloKitty: The Victim’s Perspective - VMware Security Blog - VMware</title>
	<link rel="canonical" href="https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:title" content="HelloKitty: The Victim’s Perspective" />
	<meta property="og:description" content="In the past few months, we have witnessed several indiscriminate attacks targeting big companies. Whereas years ago different threat actors focused on specific sectors, nowadays the same techniques, tactics, and procedures (e.g., how the perimeter is penetrated, which tools are used for lateral movement) are consistently applied regardless of company size, location, or industry. Target &hellip; Continued" />
	<meta property="og:url" content="https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html" />
	<meta property="og:site_name" content="VMware Security Blog" />
	<meta property="article:published_time" content="2021-09-09T11:06:29+00:00" />
	<meta property="article:modified_time" content="2022-08-25T17:38:55+00:00" />
	<meta property="og:image" content="https://blogs.vmware.com/security/files/2021/08/HelloKitty2.png" />
	<meta property="og:image:width" content="904" />
	<meta property="og:image:height" content="390" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:creator" content="@vspheresecurity" />
	<meta name="twitter:site" content="@vspheresecurity" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="Stefano Ortolani" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="10 minutes" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://blogs.vmware.com/security/#website","url":"https://blogs.vmware.com/security/","name":"VMware Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://blogs.vmware.com/security/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html#primaryimage","inLanguage":"en-US","url":"https://blogs.vmware.com/security/files/2021/08/HelloKitty2.png","contentUrl":"https://blogs.vmware.com/security/files/2021/08/HelloKitty2.png","width":904,"height":390,"caption":"Figure 2: One of the ransom notes dropped by HelloKitty as found on VirusTotal"},{"@type":"WebPage","@id":"https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html#webpage","url":"https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html","name":"HelloKitty: The Victim\u2019s Perspective - VMware Security Blog - VMware","isPartOf":{"@id":"https://blogs.vmware.com/security/#website"},"primaryImageOfPage":{"@id":"https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html#primaryimage"},"datePublished":"2021-09-09T11:06:29+00:00","dateModified":"2022-08-25T17:38:55+00:00","author":{"@id":"https://blogs.vmware.com/security/#/schema/person/98f55114d3e4b30a48803a34d7d3d836"},"breadcrumb":{"@id":"https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html"]}]},{"@type":"BreadcrumbList","@id":"https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://blogs.vmware.com/security/"},{"@type":"ListItem","position":2,"name":"HelloKitty: The Victim\u2019s Perspective"}]},{"@type":"Person","@id":"https://blogs.vmware.com/security/#/schema/person/98f55114d3e4b30a48803a34d7d3d836","name":"Stefano Ortolani","image":{"@type":"ImageObject","@id":"https://blogs.vmware.com/security/#personlogo","inLanguage":"en-US","url":"https://secure.gravatar.com/avatar/d29beb370b83545b329f80eb6876f5a4?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/d29beb370b83545b329f80eb6876f5a4?s=96&d=mm&r=g","caption":"Stefano Ortolani"},"jobTitle":"Threat Research Lead","worksFor":"VMware","url":"https://blogs.vmware.com/security/author/sortolani"}]}</script>
	<!-- / Yoast SEO Premium plugin. -->


<link rel='dns-prefetch' href='//tags.tiqcdn.com' />
<link rel='dns-prefetch' href='//s.w.org' />
<!-- This site uses the Google Analytics by MonsterInsights plugin v7.8.0 - Using Analytics tracking - https://www.monsterinsights.com/ -->
<!-- Note: MonsterInsights is not currently configured on this site. The site owner needs to authenticate with Google Analytics in the MonsterInsights settings panel. -->
<!-- No UA code set -->
<!-- / Google Analytics by MonsterInsights -->
<script type="text/javascript">
window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/blogs.vmware.com\/security\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.0"}};
/*! This file is auto-generated */
!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode,e=(p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0),i.toDataURL());return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([129777,127995,8205,129778,127999],[129777,127995,8203,129778,127999])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(e=t.source||{}).concatemoji?c(e.concatemoji):e.wpemoji&&e.twemoji&&(c(e.twemoji),c(e.wpemoji)))}(window,document,window._wpemojiSettings);
</script>
<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 0.07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='wp-block-library-css'  href='https://blogs.vmware.com/security/wp-includes/css/dist/block-library/style.min.css?ver=6.0' type='text/css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
</style>
<link rel='stylesheet' id='g-onetrust-style-css'  href='https://blogs.vmware.com/security/wp-content/plugins/onetrust-vmware-mu/css/g_onetrust.css?ver=6.0' type='text/css' media='all' />
<link rel='stylesheet' id='crp-style-rounded-thumbs-css'  href='https://blogs.vmware.com/security/wp-content/plugins/contextual-related-posts/css/rounded-thumbs.min.css?ver=3.2.3' type='text/css' media='all' />
<style id='crp-style-rounded-thumbs-inline-css' type='text/css'>

			.crp_related.crp-rounded-thumbs a {
			  width: 150px;
			  height: 150px;
			  text-decoration: none;
			}
			.crp_related.crp-rounded-thumbs img {
			  max-width: 150px;
			  margin: auto;
			}
			.crp_related.crp-rounded-thumbs .crp_title {
			  width: 100%;
			}
			
</style>
<link rel='stylesheet' id='meks-author-widget-css'  href='https://blogs.vmware.com/security/wp-content/plugins/meks-smart-author-widget/css/style.css?ver=1.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='sage/css-css'  href='https://blogs.vmware.com/security/wp-content/themes/vmware-security-0.2.2/dist/styles/main-3089d13a45.css' type='text/css' media='all' />
<script type='text/javascript' src='https://blogs.vmware.com/security/wp-content/plugins/onetrust-vmware-mu/js/g_onetrust.js?ver=6.0' id='g-onetrust-javascript-js'></script>
<script type='text/javascript' src='https://blogs.vmware.com/security/wp-includes/js/jquery/jquery.min.js?ver=3.6.0' id='jquery-core-js'></script>
<script type='text/javascript' src='https://blogs.vmware.com/security/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script>
<script type='text/javascript' src='https://tags.tiqcdn.com/utag/vmware/microsites-privacy/prod/utag.sync.js?ver=6.0' id='ot_sdk_script0-js'></script>
<script type='text/javascript' src='https://blogs.vmware.com/security/wp-content/themes/vmware-security-0.2.2/inc/wp-scripts/marker-animation.js?ver=6.0' id='jquery.marker-animation-js'></script>
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://blogs.vmware.com/security/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://blogs.vmware.com/security/wp-includes/wlwmanifest.xml" /> 
<meta name="generator" content="WordPress 6.0" />
<link rel='shortlink' href='https://blogs.vmware.com/security/?p=28825' />
<link rel="alternate" type="application/json+oembed" href="https://blogs.vmware.com/security/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblogs.vmware.com%2Fsecurity%2F2021%2F09%2Fhellokitty-the-victims-perspective.html" />
<link rel="alternate" type="text/xml+oembed" href="https://blogs.vmware.com/security/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblogs.vmware.com%2Fsecurity%2F2021%2F09%2Fhellokitty-the-victims-perspective.html&#038;format=xml" />
<script src="//www.vmware.com/files/templates/inc/utag_data.js"></script>
<script>utag_data.content_system = "Microsites : Blogs";</script>
<script>
	if(typeof jQuery=='undefined') {
		var headTag = document.getElementsByTagName("head")[0];
		var jqTag = document.createElement('script');
		jqTag.type = 'text/javascript';
		jqTag.src = 'https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js';
		headTag.appendChild(jqTag);
	}
</script>  
                              <script>!function(e){var n="https://s.go-mpulse.net/boomerang/";if("False"=="True")e.BOOMR_config=e.BOOMR_config||{},e.BOOMR_config.PageParams=e.BOOMR_config.PageParams||{},e.BOOMR_config.PageParams.pci=!0,n="https://s2.go-mpulse.net/boomerang/";if(window.BOOMR_API_key="H9GEV-4J3F8-PCWZW-5GPKQ-BKVPH",function(){function e(){if(!r){var e=document.createElement("script");e.id="boomr-scr-as",e.src=window.BOOMR.url,e.async=!0,o.appendChild(e),r=!0}}function t(e){r=!0;var n,t,a,i,d=document,O=window;if(window.BOOMR.snippetMethod=e?"if":"i",t=function(e,n){var t=d.createElement("script");t.id=n||"boomr-if-as",t.src=window.BOOMR.url,BOOMR_lstart=(new Date).getTime(),e=e||d.body,e.appendChild(t)},!window.addEventListener&&window.attachEvent&&navigator.userAgent.match(/MSIE [67]\./))return window.BOOMR.snippetMethod="s",void t(o,"boomr-async");a=document.createElement("IFRAME"),a.src="about:blank",a.title="",a.role="presentation",a.loading="eager",i=(a.frameElement||a).style,i.width=0,i.height=0,i.border=0,i.display="none",o.appendChild(a);try{O=a.contentWindow,d=O.document.open()}catch(_){n=document.domain,a.src="javascript:var d=document.open();d.domain='"+n+"';void 0;",O=a.contentWindow,d=O.document.open()}if(n)d._boomrl=function(){this.domain=n,t()},d.write("<bo"+"dy onload='document._boomrl();'>");else if(O._boomrl=function(){t()},O.addEventListener)O.addEventListener("load",O._boomrl,!1);else if(O.attachEvent)O.attachEvent("onload",O._boomrl);d.close()}function a(e){window.BOOMR_onload=e&&e.timeStamp||(new Date).getTime()}if(!window.BOOMR||!window.BOOMR.version&&!window.BOOMR.snippetExecuted){window.BOOMR=window.BOOMR||{},window.BOOMR.snippetStart=(new Date).getTime(),window.BOOMR.snippetExecuted=!0,window.BOOMR.snippetVersion=14,window.BOOMR.url=n+"H9GEV-4J3F8-PCWZW-5GPKQ-BKVPH";var i=document.currentScript||document.getElementsByTagName("script")[0],o=i.parentNode,r=!1,d=document.createElement("link");if(d.relList&&"function"==typeof d.relList.supports&&d.relList.supports("preload")&&"as"in d)window.BOOMR.snippetMethod="p",d.href=window.BOOMR.url,d.rel="preload",d.as="script",d.addEventListener("load",e),d.addEventListener("error",function(){t(!0)}),setTimeout(function(){if(!r)t(!0)},3e3),BOOMR_lstart=(new Date).getTime(),o.appendChild(d);else t(!1);if(window.addEventListener)window.addEventListener("load",a,!1);else if(window.attachEvent)window.attachEvent("onload",a)}}(),"".length>0)if(e&&"performance"in e&&e.performance&&"function"==typeof e.performance.setResourceTimingBufferSize)e.performance.setResourceTimingBufferSize();!function(){if(BOOMR=e.BOOMR||{},BOOMR.plugins=BOOMR.plugins||{},!BOOMR.plugins.AK){var n=""=="true"?1:0,t="",a="kbjpoovygnubsy2n5ohq-f-e317442e9-clientnsv4-s.akamaihd.net",i="false"=="true"?2:1,o={"ak.v":"32","ak.cp":"177502","ak.ai":parseInt("196942",10),"ak.ol":"0","ak.cr":26,"ak.ipv":4,"ak.proto":"http/1.1","ak.rid":"3c9ab1b1","ak.r":42048,"ak.a2":n,"ak.m":"dsca","ak.n":"essl","ak.bpcip":"80.82.247.0","ak.cport":50488,"ak.gh":"23.72.226.158","ak.quicv":"","ak.tlsv":"tls1.3","ak.0rtt":"","ak.csrc":"-","ak.acc":"reno","ak.t":"1666050959","ak.ak":"hOBiQwZUYzCg5VSAfCLimQ==U8TkyH/+TNViJZ+B/whA+nqsRYGol9aEvzSaXCcRrQmTR2ELGQfiynV4M0bBZvJBdMtkv2iHHSi7XPPytPJejAokzelQjd/1EClOtYoi++gOrncnO+nNZWXE/r+gwZ8JK+Y7bLe4lYGImBGr9dAaaUd+OKBqARzANcj+WECA9k+U2nTFuAS/uPWfTjtZq7heNe3QsVOEKOtZPOhmCg4dx004oKDPXtQ4+xNvOErN0ODx3CoR+fu54CnIewV9PaC/TUQIDmWuwW4TQ/Nbv/4E6h0ZzN54pyUrvvkaYw2s3wltBhUtXphnnPy+fVOGh8Hyup52Ndk7hDtx1uJImVElzs13yCpOkHMAf6tXyQ1NOAkizI9oQs+JHYdlIADA/2dp+XN1BMZnSA/EwkBS23CREvBq076ThiWC2LRvUeyLYsc=","ak.pv":"34","ak.dpoabenc":"","ak.tf":i};if(""!==t)o["ak.ruds"]=t;var r={i:!1,av:function(n){var t="http.initiator";if(n&&(!n[t]||"spa_hard"===n[t]))o["ak.feo"]=void 0!==e.aFeoApplied?1:0,BOOMR.addVar(o)},rv:function(){var e=["ak.bpcip","ak.cport","ak.cr","ak.csrc","ak.gh","ak.ipv","ak.m","ak.n","ak.ol","ak.proto","ak.quicv","ak.tlsv","ak.0rtt","ak.r","ak.acc","ak.t","ak.tf"];BOOMR.removeVar(e)}};BOOMR.plugins.AK={akVars:o,akDNSPreFetchDomain:a,init:function(){if(!r.i){var e=BOOMR.subscribe;e("before_beacon",r.av,null,null),e("onbeacon",r.rv,null,null),r.i=!0}return this},is_complete:function(){return!0}}}}()}(window);</script></head>
  <body class="post-template-default single single-post postid-28825 single-format-standard hellokitty-the-victims-perspective.html sidebar-primary">
    <!--[if IE]>
      <div class="alert alert-warning">
        You are using an <strong>outdated</strong> browser. Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your experience.      </div>
    <![endif]-->
    <header class="banner">
  <nav class="global-nav">
  <div class="container">
    <div class="row">
      <div class="col-12 col-md-10 col-lg-7">
        <div class="brand-links">
                      <button class="hamburger mobile-trigger" type="button" aria-controls="primaryNavigation" aria-expanded="false" aria-label="Toggle menu">
              <span></span>
              <span></span>
              <span></span>
              <span></span>
              <span class="label">Menu</span>
            </button>
                    <a href="https://www.vmware.com/"><img src="//blogs.vmware.com/security/wp-content/themes/vmware-security-0.2.2/dist/images/vmware-logo-large.png" alt="VMware" /></a>
          <a class="name" href="https://blogs.vmware.com/security/">VMware Security Blog</a>
        </div>
      </div>
      <div class="col-md-2 col-lg-5 text-right right-nav">
        <div class="search-wrap">
          <form class="search-form" method="get" action="https://blogs.vmware.com/security/">
  <label class="sr-only" for="s">Search</label>
  <input class="search-field" placeholder="Search" name="s" />
  <input type="submit" value="Submit Search" class="search-submit btn">
</form>
<button class="search-btn mobile-trigger" type="button" aria-expanded="false" aria-label="Toggle search">
    <span class="sr-only">Search</span>
</button>        </div>
        <button class="dots mobile-trigger" type="button" aria-controls="globalNavigation" aria-expanded="false" aria-label="Toggle menu">
          <span></span>
          <span></span>
          <span></span>
        </button>
        <div class="links-wrap" id="globalNavigation">
          <ul class="links">
            <li><a href="https://blogs.vmware.com/">VMware Blogs</a></li>
            <li><a href="https://communities.vmware.com/">Communities</a></li>
            <li><a href="https://carbonblack.vmware.com/">Tech Zone</a></li>
          </ul>
                  </div>
      </div>
    </div>
  </div>
</nav>  <nav class="primary-nav" role="navigation">
    <div class="container">
        <div class="row">
            <div id="primaryNavigation" class="col-12 col-lg-9 main-nav" aria-label="Main Menu">
                <div class="gradient-mask-wrap">
                    <div class="gradient-menu-wrap">
                        <ul id="menu-main-nav" class="menu-top-nav" role="menubar"><li id="menu-item-81358" class="nav-featured menu-item menu-item-type-custom menu-item-object-custom menu-item-81358"><a href="https://blogs.vmware.com/security/tag/featured" role="menuitem">Featured</a><div class="gradient-mask"><div class="arrow"></div></div></li>
<li id="menu-item-81367" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-81367"><a href="#" role="menuitem" aria-haspopup="true" aria-expanded="false">Categories</a><button aria-expanded="false" aria-controls="submenu-81367" ><span class="sr-only">Toggle submenu</span></button><div class="gradient-mask"><div class="arrow"></div></div>
<ul role="menu" class="sub-menu" id="submenu-81367">
	<li id="menu-item-81361" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-81361"><a href="https://blogs.vmware.com/security/announcements" role="menuitem">Announcements</a></li>
	<li id="menu-item-81363" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-81363"><a href="https://blogs.vmware.com/security/executive-viewpoint" role="menuitem">Executive Viewpoint</a></li>
	<li id="menu-item-81366" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-81366"><a href="https://blogs.vmware.com/security/multi-cloud-security" role="menuitem">Multi-Cloud Security</a></li>
	<li id="menu-item-81365" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-81365"><a href="https://blogs.vmware.com/security/modern-apps-security" role="menuitem">Modern Apps Security</a></li>
	<li id="menu-item-81364" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-81364"><a href="https://blogs.vmware.com/security/workload-security" role="menuitem">Workload Security</a></li>
	<li id="menu-item-81359" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-81359"><a href="https://blogs.vmware.com/security/endpoint-secuity" role="menuitem">Endpoint Security</a></li>
	<li id="menu-item-81362" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-81362"><a href="https://blogs.vmware.com/security/network-security" role="menuitem">Network Security</a></li>
	<li id="menu-item-81360" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-81360"><a href="https://blogs.vmware.com/security/threat-analysis-unit" role="menuitem">Threat Analysis Unit</a></li>
	<li id="menu-item-82317" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-82317"><a href="https://blogs.vmware.com/security/vmware-security-response-center" role="menuitem">VMware Security Response Center</a></li>
</ul>
</li>
<li id="menu-item-81368" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-81368"><a target="_blank" href="https://www.vmware.com/security.html" role="menuitem">VMware Security</a><div class="gradient-mask"><div class="arrow"></div></div></li>
<li id="menu-item-81369" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-81369"><a target="_blank" href="https://www.vmware.com/resources/security/carbon-black-live-demo.html" role="menuitem">Get A Demo</a><div class="gradient-mask"><div class="arrow"></div></div></li>
</ul>                    </div>
                    <div class="gradient-menu-mask"></div>
                </div>
            </div>
            <div class="col-12 col-lg-3">
                            </div>
        </div>
    </div>
    <div class="gradient-bar">
        <div class="container">
            <div class="row">
                <div class="col-9">
                    <div class="gradient-mask"></div>
                </div>
            </div>
        </div>
    </div>
</nav>
  
<div class="featured-tags">
    <div class="container">
        <div class="row background-dark-gray">
                            <div class="col-3 stacked-posts category-curl">
                    
<article class="card post-82457 post type-post status-publish format-standard has-post-thumbnail hentry category-announcements category-multi-cloud-security category-threat-intelligence tag-featured tag-incident-response tag-ransomware">
  <div class="image-wrap">
    <a href="https://blogs.vmware.com/security/2022/06/cisos-lateral-cybersecurity-threats-contexa.html" title="Why CISOs Should Invest More Inside Their Infrastructure">
      <img src="https://blogs.vmware.com/security/files/2022/06/Tom-Gillis_VMware-Security_Contexa-Threat-Intelligence-410x222.jpg" alt="Why CISOs Should Invest More Inside Their Infrastructure" class="" />
    </a>
      </div>
  <div class="content-wrap">
    <div class="content-inner">
                        <a href="https://blogs.vmware.com/security/announcements" class="category-label">Announcements</a>
                    <h2 class="title"><a href="https://blogs.vmware.com/security/2022/06/cisos-lateral-cybersecurity-threats-contexa.html">Why CISOs Should Invest More Inside Their Infrastructure</a></h2>
      <div class="entry-meta">
            <span class="author-list">
                                    <a href="https://blogs.vmware.com/security/author/tomgillis" rel="author" class="author">Tom Gillis</a>
                            </span>
                <time class="updated" datetime="2022-06-02" pubdate>June 2, 2022</time>
        <span class="read-time">5 min read</span>
    </div>    </div>
  </div>
</article>
                </div>
                            <div class="col-3 stacked-posts category-curl">
                    
<article class="card post-82276 post type-post status-publish format-standard has-post-thumbnail hentry category-threat-analysis-unit tag-featured">
  <div class="image-wrap">
    <a href="https://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html" title="Serpent - The Backdoor that Hides in Plain Sight">
      <img src="https://blogs.vmware.com/security/files/2022/03/Threat-Research_Featured-410x222.png" alt="Serpent - The Backdoor that Hides in Plain Sight" class="" />
    </a>
      </div>
  <div class="content-wrap">
    <div class="content-inner">
                        <a href="https://blogs.vmware.com/security/threat-analysis-unit" class="category-label">Threat Analysis Unit</a>
                    <h2 class="title"><a href="https://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html">Serpent - The Backdoor that Hides in Plain Sight</a></h2>
      <div class="entry-meta">
            <span class="author-list">
                                    <a href="https://blogs.vmware.com/security/author/tau" rel="author" class="author">Threat Analysis Unit</a>
                            </span>
                <time class="updated" datetime="2022-04-25" pubdate>April 25, 2022</time>
        <span class="read-time">11 min read</span>
    </div>    </div>
  </div>
</article>
                </div>
                            <div class="col-3 stacked-posts category-curl">
                    
<article class="card post-82261 post type-post status-publish format-standard has-post-thumbnail hentry category-executive-viewpoint tag-featured">
  <div class="image-wrap   image-grayscale">
    <a href="https://blogs.vmware.com/security/2022/04/how-not-to-build-a-soc.html" title="How Not to Build a SOC">
      <img src="https://blogs.vmware.com/security/files/2022/03/photo_security9_screens-410x222.jpg" alt="How Not to Build a SOC" class="" />
    </a>
      </div>
  <div class="content-wrap">
    <div class="content-inner">
                        <a href="https://blogs.vmware.com/security/executive-viewpoint" class="category-label">Executive Viewpoint</a>
                    <h2 class="title"><a href="https://blogs.vmware.com/security/2022/04/how-not-to-build-a-soc.html">How Not to Build a SOC</a></h2>
      <div class="entry-meta">
            <span class="author-list">
                                    <a href="https://blogs.vmware.com/security/author/mholzworth" rel="author" class="author">Martin Holzworth</a>
                            </span>
                <time class="updated" datetime="2022-04-18" pubdate>April 18, 2022</time>
        <span class="read-time">14 min read</span>
    </div>    </div>
  </div>
</article>
                </div>
                            <div class="col-3 stacked-posts category-curl">
                    
<article class="card post-82220 post type-post status-publish format-audio has-post-thumbnail hentry category-executive-viewpoint tag-featured post_format-post-format-audio">
  <div class="image-wrap   image-grayscale">
    <a href="https://blogs.vmware.com/security/2022/04/cybersecurity-podcast-tom-kellermann-global-threats.html" title="Podcast: Discussing the latest security threats and threat actors - Tom Kellermann (Virtually Speaking)">
      <img src="https://blogs.vmware.com/security/files/2022/02/globecyberattack-e1647877118160-410x222.jpg" alt="Podcast: Discussing the latest security threats and threat actors - Tom Kellermann (Virtually Speaking)" class="" />
    </a>
      </div>
  <div class="content-wrap">
    <div class="content-inner">
                        <a href="https://blogs.vmware.com/security/executive-viewpoint" class="category-label">Executive Viewpoint</a>
                    <h2 class="title"><a href="https://blogs.vmware.com/security/2022/04/cybersecurity-podcast-tom-kellermann-global-threats.html">Podcast: Discussing the latest security threats and threat actors - Tom Kellermann (Virtually Speaking)</a></h2>
      <div class="entry-meta">
            <span class="author-list">
                                    <a href="https://blogs.vmware.com/security/author/blog-editor" rel="author" class="author">Editorial Staff</a>
                            </span>
                <time class="updated" datetime="2022-04-13" pubdate>April 13, 2022</time>
        <span class="read-time">1 min read</span>
    </div>    </div>
  </div>
</article>
                </div>
                    </div>
    </div>
</div>

</header>
    <div class="wrap" role="document">
      <div class="content">
        <main>
          
  <article class="background-off-white">
    <div class="container background-white mb-4">
      <div class="row">
        <div class="col-12">
          <header class="post-header">
    <div class="post-header-inner">
                    <div class="post-featured-image">
                <div class="image-wrap">
                    <img src="https://blogs.vmware.com/security/files/2021/08/HelloKitty2-410x222.png" alt="Figure 2: One of the ransom notes dropped by HelloKitty as found on VirusTotal" class="img-fluid" />
                                    </div>
            </div>
                <div class="post-headline">
                            <a href="https://blogs.vmware.com/security/threat-analysis-unit" class="category-label">Threat Analysis Unit</a>
                            <a href="https://blogs.vmware.com/security/network-security" class="category-label">Network Security</a>
                        <h1 class="entry-title">HelloKitty: The Victim’s Perspective</h1>
            <div class="entry-meta">
            <span class="author-list">
                                    <a href="https://blogs.vmware.com/security/author/sortolani" rel="author" class="author">Stefano Ortolani</a>
                            </span>
                <time class="updated" datetime="2021-09-09" pubdate>September 9, 2021</time>
        <span class="read-time">17 min read</span>
    </div>                    </div>
    </div>
</header>        </div>
      </div>
      <div class="read-progress-wrap position-relative z-index-1">
        <div class="read-progress">
          <div class="sr-only aria-progress" role="progressbar" aria-valuenow="0" aria-valuemin="0" aria-valuemax="100"></div>
          <div class="recede"></div>
        </div>
        <div class="row">
          <div class="col-md-4 col-lg-2">
            <aside class="sharing d-none d-md-block">
              <strong>Share on:</strong>
              <ul class="social-links">
    <li class="icon icon-twitter">
        <a href="https://twitter.com/intent/tweet?url=https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html&text=HelloKitty%3A+The+Victim%E2%80%99s+Perspective" 
    target="_blank" rel="noopener noreferrer" title="Twitter">
            <span class="sr-only">Share on Twitter</span>
        </a>
    </li>
    <li class="icon icon-linkedin">
        <a href="#" role="button" title="LinkedIn" onclick="window.open('http://www.linkedin.com/shareArticle?mini=true&amp;url=https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html','', '_blank, width=500, height=600, resizable=yes, scrollbars=yes'); return false;">
            <span class="sr-only">Share on LinkedIn</span>
        </a>
    </li>
    <li class="icon icon-fb">
        <a href="#" role="button" title="Facebook" onclick="window.open('https://www.facebook.com/sharer/sharer.php?u=https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html','', '_blank, width=500, height=600, resizable=yes, scrollbars=yes'); return false;">
            <span class="sr-only">Share on Facebook</span>
        </a>
    </li>
    <li class="icon icon-reddit">
        <a href="https://www.reddit.com/submit?url=https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html&title=HelloKitty%3A+The+Victim%E2%80%99s+Perspective"
        target="_blank" title="Reddit">
            <span class="sr-only">Share on Reddit</span>
        </a>
    </li>
    <li class="icon icon-mail">
        <a href="mailto:?subject=HelloKitty%3A+The+Victim%E2%80%99s+Perspective&body=https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html" target="_blank" title="Email">
            <span class="sr-only">Email this post</span>
        </a>
    </li>
    <li class="icon icon-copy-link">
        <a role="button" href="https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html" id="copyUrl" title="Copy Link"><span class="sr-only">Copy Link</span></a>
    </li>
</ul>            </aside>
          </div>
          <div class="col-md-8">
            <div class="entry-content">
              <p>In the past few months, we have witnessed several indiscriminate attacks targeting big companies. Whereas years ago different threat actors focused on specific sectors, nowadays the same techniques, tactics, and procedures (e.g., how the perimeter is penetrated, which tools are used for lateral movement) are consistently applied regardless of company size, location, or industry. Target selection is much more dependent on an organization’s IT infrastructure: for example, recent trends show several actors (among them REvil, HelloKitty, or what was known as Darkside) increasingly targeting companies running workloads on VMware ESXi by adding to their ransomware capabilities to gracefully stop virtual machines before encrypting them (see Figure 1).</p>
<figure id="attachment_28826" aria-describedby="caption-attachment-28826" style="width: 598px" class="wp-caption aligncenter"><img class="wp-image-28826" src="https://blogs.vmware.com/security/files/2021/08/HelloKitty1.png" alt="" width="598" height="535" srcset="https://blogs.vmware.com/security/files/2021/08/HelloKitty1.png 724w, https://blogs.vmware.com/security/files/2021/08/HelloKitty1-300x269.png 300w, https://blogs.vmware.com/security/files/2021/08/HelloKitty1-600x537.png 600w, https://blogs.vmware.com/security/files/2021/08/HelloKitty1-251x225.png 251w, https://blogs.vmware.com/security/files/2021/08/HelloKitty1-355x318.png 355w, https://blogs.vmware.com/security/files/2021/08/HelloKitty1-467x418.png 467w, https://blogs.vmware.com/security/files/2021/08/HelloKitty1-231x207.png 231w, https://blogs.vmware.com/security/files/2021/08/HelloKitty1-140x125.png 140w" sizes="(max-width: 598px) 100vw, 598px" /><figcaption id="caption-attachment-28826" class="wp-caption-text">Figure 1: HelloKitty stopping virtual machines gracefully</figcaption></figure>
<p>Another important trend we have seen growing in the last few months is the use of ransomware to seize sensitive customer data — first by exfiltrating it, then encrypting it, and later pressuring the victim into paying a ransom under the threat of disclosing such data publicly (a technique called “double extortion”). Notable victims include <a href="https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime">CD Projekt RED</a>, which faced the leak of the source code of some of its most famous video games.</p>
<p>While many threat reports have already dissected the technical internals of the malware involved (<a href="https://soolidsnake.github.io/2021/07/17/hellokitty_linux.html">see here</a> for a well detailed reverse engineering of a HelloKitty sample, including an analysis of its cryptography primitives), we rarely see how the negotiation between a threat actor and its victims unfolds (without irony, the victims are often termed “customers” by the threat operators). More importantly, there isn’t much discussion of the risks involved in dealing with parties that are actual cybercrime enterprises.</p>
<p>To shed some light on all these matters, in this blog post we give a brief peek into what happens to a victim when infected by the Linux version of HelloKitty ransomware, a known variant targeting ESXi workloads. While we do not focus on a specific sample or campaign, it is relatively easy to acquire a small dataset if the sample has been uploaded to VirusTotal. Searching for the ransom note extension “content: &#8220;.README_TO_RESTORE&#8221; is an effective method to select a mix of HelloKitty samples (or one of its most recent spin-offs, ViceSociety).</p>
<h2>The note, or the start of the journey</h2>
<p>While the image of thousands of monitors displaying the <a href="https://en.wikipedia.org/wiki/WannaCry_ransomware_attack">WannaCry ransom window</a> is still engraved in our collective memory, nowadays ransomware attacks on workloads are perceived by users as a sudden loss of service availability. The system administrator is then confronted with the entire data directory tree suddenly containing encrypted files and a ransom note (see Figure 2 for the ransom note dropped during an attack on an Italian company operating in the health care sector).</p>
<figure id="attachment_28827" aria-describedby="caption-attachment-28827" style="width: 626px" class="wp-caption aligncenter"><img loading="lazy" class="wp-image-28827" src="https://blogs.vmware.com/security/files/2021/08/HelloKitty2.png" alt="" width="626" height="270" srcset="https://blogs.vmware.com/security/files/2021/08/HelloKitty2.png 904w, https://blogs.vmware.com/security/files/2021/08/HelloKitty2-300x129.png 300w, https://blogs.vmware.com/security/files/2021/08/HelloKitty2-768x331.png 768w, https://blogs.vmware.com/security/files/2021/08/HelloKitty2-600x259.png 600w, https://blogs.vmware.com/security/files/2021/08/HelloKitty2-522x225.png 522w, https://blogs.vmware.com/security/files/2021/08/HelloKitty2-585x252.png 585w, https://blogs.vmware.com/security/files/2021/08/HelloKitty2-380x164.png 380w, https://blogs.vmware.com/security/files/2021/08/HelloKitty2-222x96.png 222w" sizes="(max-width: 626px) 100vw, 626px" /><figcaption id="caption-attachment-28827" class="wp-caption-text">Figure 2: One of the ransom notes dropped by HelloKitty as found on VirusTotal.</figcaption></figure>
<p>Interestingly, this file has information both for the victim to get in touch with the attacker and for the attacker to get the necessary cryptographic details to develop a decryptor. This is of primary importance: the victim, as we will see later, is encouraged to ask for a free decryption sample as a way to verify the trustworthiness of the attacker. As every customer knows, a smooth first “technical support” experience is the perfect welcoming mat to a successful business transaction.</p>
<p>The ransom note ends with a link to a TOR website. Note that there is no password or authentication required; in other words, anybody holding a copy of the ransom note can access the very same website the victim is invited to use. This would not be a concern if the process of paying the ransom were just a matter of uploading a file (the ransom note, for example) and providing credit card details; unfortunately, the whole process is more akin to a technical support interaction rather than a shopping experience — everything takes place within the boundary of a persistent public chat window.</p>
<h2>The chat, or getting to know each other</h2>
<p>Figure 3 shows the first exchange of messages between a victim and the support engineer operating the ransomware infrastructure. As we can see, the priority for the victim is to ascertain whether the chat is authentic, and if the threat actor is actually able to decrypt the files. If the victim is not aware of this possibility, the attacker reminds the victim of this fact by disguising it as a goodwill gesture.</p>
<figure id="attachment_28828" aria-describedby="caption-attachment-28828" style="width: 709px" class="wp-caption aligncenter"><img loading="lazy" class="wp-image-28828" src="https://blogs.vmware.com/security/files/2021/08/HelloKitty3.png" alt="Chat box of negotiation" width="709" height="719" srcset="https://blogs.vmware.com/security/files/2021/08/HelloKitty3.png 1045w, https://blogs.vmware.com/security/files/2021/08/HelloKitty3-296x300.png 296w, https://blogs.vmware.com/security/files/2021/08/HelloKitty3-1010x1024.png 1010w, https://blogs.vmware.com/security/files/2021/08/HelloKitty3-768x779.png 768w, https://blogs.vmware.com/security/files/2021/08/HelloKitty3-600x609.png 600w, https://blogs.vmware.com/security/files/2021/08/HelloKitty3-222x225.png 222w, https://blogs.vmware.com/security/files/2021/08/HelloKitty3-314x318.png 314w, https://blogs.vmware.com/security/files/2021/08/HelloKitty3-412x418.png 412w, https://blogs.vmware.com/security/files/2021/08/HelloKitty3-204x207.png 204w, https://blogs.vmware.com/security/files/2021/08/HelloKitty3-123x125.png 123w" sizes="(max-width: 709px) 100vw, 709px" /><figcaption id="caption-attachment-28828" class="wp-caption-text">Figure 3: Chat with the threat actor&#8217;s technical support</figcaption></figure>
<p>Unfortunately, files are transferred in the least secure manner possible: using public file sharing services. This means that anybody accessing the chat can retrieve any file exchanged. As the password is also shared using the same channel, the victim should think carefully about which file to use for a free decryption. The incentive here is for the victim to recover his most prized (and thus sensitive) possession: in some cases, this means a full-fledged virtual machine file, possibly containing highly sensitive data; on the other hand, the threat actor is only willing to allow some “not important” files to test decryption (in the case of running ESXi, log files were requested).</p>
<p>Obtaining a decryption is not instantaneous, and questions requiring engineering expertise or technical work are often ignored or only answered after several hours. This shows how the threat actor divides its workforce like modern businesses do, having non-technical staff as first-level technical support while keeping engineers and developers far from the “front line”. This also means that any attempts to outsmart the operator by, for example, asking to decrypt backups, are eventually detected and not well-received. In the best-case scenario, they are the fastest way out of negotiating a discount (see Figure 4); in the worst case, they may be enough to push the actor to hike the ransom or leak the exfiltrated data.</p>
<figure id="attachment_28829" aria-describedby="caption-attachment-28829" style="width: 688px" class="wp-caption aligncenter"><img loading="lazy" class="wp-image-28829" src="https://blogs.vmware.com/security/files/2021/08/HelloKitty4.png" alt="Chat box of negotiation" width="688" height="631" srcset="https://blogs.vmware.com/security/files/2021/08/HelloKitty4.png 1029w, https://blogs.vmware.com/security/files/2021/08/HelloKitty4-300x275.png 300w, https://blogs.vmware.com/security/files/2021/08/HelloKitty4-1024x939.png 1024w, https://blogs.vmware.com/security/files/2021/08/HelloKitty4-768x705.png 768w, https://blogs.vmware.com/security/files/2021/08/HelloKitty4-600x550.png 600w, https://blogs.vmware.com/security/files/2021/08/HelloKitty4-245x225.png 245w, https://blogs.vmware.com/security/files/2021/08/HelloKitty4-347x318.png 347w, https://blogs.vmware.com/security/files/2021/08/HelloKitty4-456x418.png 456w, https://blogs.vmware.com/security/files/2021/08/HelloKitty4-226x207.png 226w, https://blogs.vmware.com/security/files/2021/08/HelloKitty4-136x125.png 136w" sizes="(max-width: 688px) 100vw, 688px" /><figcaption id="caption-attachment-28829" class="wp-caption-text">Figure 4: Being cheeky is the worst way to start a negotiation</figcaption></figure>
<h2>The deal, or the cash does the talking</h2>
<p>While we are used to thinking of a negotiation as something agreed between two parties, victims participating in this type of chat are rarely able to make business choices for themselves. For example, the system administrator on the victim’s side cannot make any decision regarding the payments, especially if amounts of several million dollars are involved. Likewise, the chat operator cannot develop the decryptor or even decrypt test files alone, as he relies on other teams. This leads to a lengthy ping-pong, which can last as much as two or three weeks, before any of the parties decide to commit to the deal.</p>
<p>The first choice that the victims must make is whether they are ready to pay up for the data or they only want to make sure that the data does not get leaked (the double extortion). Advice such as “make your backups” or “have a disaster recovery plan,” while sound, and rightly part of any company’s proper security posture, quickly lose their importance if the future of the company and its competitive advantage in the market are at stake with a leak. In other words, at this point, the availability of backups means only the ability to choose the least expensive extortion. Defending the perimeter and preventing lateral movement should still be an enterprise’s foremost priority.</p>
<figure id="attachment_28830" aria-describedby="caption-attachment-28830" style="width: 651px" class="wp-caption aligncenter"><img loading="lazy" class="wp-image-28830" src="https://blogs.vmware.com/security/files/2021/08/HelloKitty5.png" alt="Chat box of negotiation" width="651" height="660" srcset="https://blogs.vmware.com/security/files/2021/08/HelloKitty5.png 931w, https://blogs.vmware.com/security/files/2021/08/HelloKitty5-296x300.png 296w, https://blogs.vmware.com/security/files/2021/08/HelloKitty5-768x779.png 768w, https://blogs.vmware.com/security/files/2021/08/HelloKitty5-600x608.png 600w, https://blogs.vmware.com/security/files/2021/08/HelloKitty5-222x225.png 222w, https://blogs.vmware.com/security/files/2021/08/HelloKitty5-314x318.png 314w, https://blogs.vmware.com/security/files/2021/08/HelloKitty5-412x418.png 412w, https://blogs.vmware.com/security/files/2021/08/HelloKitty5-204x207.png 204w, https://blogs.vmware.com/security/files/2021/08/HelloKitty5-123x125.png 123w" sizes="(max-width: 651px) 100vw, 651px" /><figcaption id="caption-attachment-28830" class="wp-caption-text">Figure 5: Attackers negotiate too, and they can leverage all collected information</figcaption></figure>
<p>The price negotiation is also utterly unfair: the threat actor is already in possession of all the data, and, with some luck, has also gained access to the company financials. This means that the threat actor can adjust the ransom to what the company is able to pay, and if the victim objects that they can’t afford such a steep transaction, they either need to provide some proof by coming up with a compelling story or convince upper management that there is no viable alternative. This also needs to be done quickly, as chat operators can grow impatient (see Figure 5).</p>
<p>Obviously, it is not in the interest of the threat actor to pull the rug out from under the negotiation at this point, and threats at this phase should simply be seen as brinkmanship. See, for example, the chat operator calling for a “more constructive approach” after being ignored for a couple of days. The threat actor does not gain anything by leaking the data, they have every incentive to come to an agreement, whether it is for 10 million dollars or 5. At the same time, the threat must be made credible, and one way to do this is to apply pressure by pretending that time is a concern. It is often not the case; a proposal for a “constructive and responsible approach” (see Figure 5) can always be extended.</p>
<figure id="attachment_28831" aria-describedby="caption-attachment-28831" style="width: 550px" class="wp-caption aligncenter"><img loading="lazy" class="wp-image-28831" src="https://blogs.vmware.com/security/files/2021/08/HelloKitty6.png" alt="Chat box of negotiation" width="550" height="483" srcset="https://blogs.vmware.com/security/files/2021/08/HelloKitty6.png 935w, https://blogs.vmware.com/security/files/2021/08/HelloKitty6-300x263.png 300w, https://blogs.vmware.com/security/files/2021/08/HelloKitty6-768x674.png 768w, https://blogs.vmware.com/security/files/2021/08/HelloKitty6-600x527.png 600w, https://blogs.vmware.com/security/files/2021/08/HelloKitty6-256x225.png 256w, https://blogs.vmware.com/security/files/2021/08/HelloKitty6-362x318.png 362w, https://blogs.vmware.com/security/files/2021/08/HelloKitty6-476x418.png 476w, https://blogs.vmware.com/security/files/2021/08/HelloKitty6-236x207.png 236w, https://blogs.vmware.com/security/files/2021/08/HelloKitty6-142x125.png 142w" sizes="(max-width: 550px) 100vw, 550px" /><figcaption id="caption-attachment-28831" class="wp-caption-text">Figure 6: Paying in Bitcoin has higher fees because money laundering in Bitcoin is more difficult than Monero</figcaption></figure>
<p>Another interesting aspect of the negotiation is that it is often possible to pay the ransom either in Bitcoin or in Monero. While both cryptocurrencies are fungible, Monero is much more private, as the actual recipient of a transaction is kept hidden. As shown in Figure 6, this fact is known by both the victim and the threat actor. While accepting both types of payment, the threat actor charges up to 10% more when payment is done in Bitcoin; at the same time, banks (because the victim needs to involve a bank when transferring this amount of money) prefer Bitcoin, precisely because Monero is an asset more closely associated with money laundering, and thus more difficult to manage.</p>
<p>When the deal is sealed and the transaction is confirmed, the threat actor morphs into your everyday technical support account specialist: if the decryptor does not work, engineers are promptly involved to fix it. Often it is the victim who asks for the chat to remain online, at least until the entire decryption process is completed. While we fully understand that after paying several million dollars the victim would want to make sure there is a way to reach out to the threat actor if needed, we cannot help but point out that this makes any exchanged files available for download in the public transcripts of . We performed a cursory check of all the chats referenced in the samples uploaded to VirusTotal, and in all cases the chat contained accessible files (which we did not download).</p>
<p>Keep in mind that chat operators do not respond kindly if they feel played around with, so if your aim is to collect additional threat intelligence, you will need a more convincing cover story than our feeble attempt, in which we tried to extract the name of the targeted company from a chat in which the victim did not reach out to the threat actor (see Figure 7).</p>
<figure id="attachment_28832" aria-describedby="caption-attachment-28832" style="width: 562px" class="wp-caption aligncenter"><img loading="lazy" class="wp-image-28832" src="https://blogs.vmware.com/security/files/2021/08/HelloKitty7.png" alt="Chatbox" width="562" height="482" srcset="https://blogs.vmware.com/security/files/2021/08/HelloKitty7.png 1026w, https://blogs.vmware.com/security/files/2021/08/HelloKitty7-300x257.png 300w, https://blogs.vmware.com/security/files/2021/08/HelloKitty7-1024x878.png 1024w, https://blogs.vmware.com/security/files/2021/08/HelloKitty7-768x659.png 768w, https://blogs.vmware.com/security/files/2021/08/HelloKitty7-600x515.png 600w, https://blogs.vmware.com/security/files/2021/08/HelloKitty7-262x225.png 262w, https://blogs.vmware.com/security/files/2021/08/HelloKitty7-371x318.png 371w, https://blogs.vmware.com/security/files/2021/08/HelloKitty7-487x418.png 487w, https://blogs.vmware.com/security/files/2021/08/HelloKitty7-241x207.png 241w, https://blogs.vmware.com/security/files/2021/08/HelloKitty7-146x125.png 146w" sizes="(max-width: 562px) 100vw, 562px" /><figcaption id="caption-attachment-28832" class="wp-caption-text">Figure 7: A thick skin may be required to collect intelligence from a threat actor</figcaption></figure>
<h2>Conclusions</h2>
<p>Ransomware is one of the worst nightmares a company can go through nowadays. It is vitally important for enterprises to keep infrastructure and workloads well-protected from every possible threat lurking in a data center, as attackers have been pivoting for some time now from end users to large companies, where big payouts are possible. After all, why ransom 100 people for $300 when you can ransom a single company for $3 million? In conclusion, our advice is to be aware that all communications and file exchanges are publicly accessible, and careless interactions with ransomware operators may cause additional embarrassment even if the ransom is paid.</p>            </div>
            <footer class="entry-footer">
                        <div class="author-footer">
                <div class="author-avatar">
                    <a href="https://blogs.vmware.com/security/author/sortolani">
                      <img src="//secure.gravatar.com/avatar/d29beb370b83545b329f80eb6876f5a4?s=70&#038;d=https%3A%2F%2Fuser-images.githubusercontent.com%2F969755%2F61500768-7d535780-a981-11e9-8578-dc6bf989ffb2.png&#038;r=g" class="rounded-circle img-fluid" alt="">
                    </a>
                </div>
                <div class="author-details">
                    <h4><a href="https://blogs.vmware.com/security/author/sortolani">Stefano Ortolani</a></h4>
                    <p></p>
                                    </div>
              </div>
                        </footer>
          </div>
        </div>
      </div>
    </div>
      <div class="container related-posts">
    <div class="row">
      <div class="col-12">
        <h2 class="mt-4 mb-3">Related Articles</h2>
      </div>
    </div>
    <div class="row">
       
        <div class="col-12 col-md-4 stacked-posts category-curl">
        
<article class="card post-28825 post type-post status-publish format-standard has-post-thumbnail hentry category-network-security category-threat-analysis-unit">
  <div class="image-wrap">
    <a href="https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html" title="LockBit 3.0 Ransomware Unlocked">
      <img src="https://blogs.vmware.com/security/files/2022/03/Malware_Featured-410x222.png" alt="LockBit 3.0 Ransomware Unlocked" class="" />
    </a>
              </div>
  <div class="content-wrap">
    <div class="content-inner">
                        <a href="https://blogs.vmware.com/security/threat-analysis-unit" class="category-label">Threat Analysis Unit</a>
                    <h2 class="title"><a href="https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html">LockBit 3.0 Ransomware Unlocked</a></h2>
      <div class="entry-meta">
            <span class="author-list">
                                    <a href="https://blogs.vmware.com/security/author/dbehling" rel="author" class="author">Dana Behling</a>
                            </span>
                <time class="updated" datetime="2022-10-15" pubdate>October 15, 2022</time>
        <span class="read-time">35 min read</span>
    </div>    </div>
  </div>
</article>
        </div>
       
        <div class="col-12 col-md-4 stacked-posts category-curl">
        
<article class="card post-28825 post type-post status-publish format-standard has-post-thumbnail hentry category-network-security category-threat-analysis-unit">
  <div class="image-wrap  image-tint">
    <a href="https://blogs.vmware.com/security/2022/10/the-nsx-network-security-roadshow-coming-to-a-city-near-you.html" title="The NSX Network Security Roadshow - Coming to a City Near You">
      <img src="https://blogs.vmware.com/security/files/2022/10/Original-Header-Image11-410x222.jpg" alt="The NSX Network Security Roadshow - Coming to a City Near You" class="" />
    </a>
          <div class="texture texture-circuits"></div>
              </div>
  <div class="content-wrap">
    <div class="content-inner">
                        <a href="https://blogs.vmware.com/security/announcements" class="category-label">Announcements</a>
                    <h2 class="title"><a href="https://blogs.vmware.com/security/2022/10/the-nsx-network-security-roadshow-coming-to-a-city-near-you.html">The NSX Network Security Roadshow - Coming to a City Near You</a></h2>
      <div class="entry-meta">
            <span class="author-list">
                                    <a href="https://blogs.vmware.com/security/author/quang_nguyen" rel="author" class="author">Quang Nguyen</a>
                            </span>
                <time class="updated" datetime="2022-10-06" pubdate>October 6, 2022</time>
        <span class="read-time">6 min read</span>
    </div>    </div>
  </div>
</article>
        </div>
       
        <div class="col-12 col-md-4 stacked-posts category-curl">
        
<article class="card post-28825 post type-post status-publish format-standard has-post-thumbnail hentry category-network-security category-threat-analysis-unit">
  <div class="image-wrap">
    <a href="https://blogs.vmware.com/security/2022/10/cybersecurity-awareness-month-amid-an-evolving-threat-landscape-defenders-continue-to-weather-the-storm.html" title="Cybersecurity Awareness Month: Amid an Evolving Threat Landscape, Defenders Continue to Weather the Storm">
      <img src="https://blogs.vmware.com/security/files/2022/05/Networking_410x222.png" alt="Cybersecurity Awareness Month: Amid an Evolving Threat Landscape, Defenders Continue to Weather the Storm" class="" />
    </a>
              </div>
  <div class="content-wrap">
    <div class="content-inner">
                        <a href="https://blogs.vmware.com/security/network-security" class="category-label">Network Security</a>
                    <h2 class="title"><a href="https://blogs.vmware.com/security/2022/10/cybersecurity-awareness-month-amid-an-evolving-threat-landscape-defenders-continue-to-weather-the-storm.html">Cybersecurity Awareness Month: Amid an Evolving Threat Landscape, Defenders Continue to Weather the Storm</a></h2>
      <div class="entry-meta">
            <span class="author-list">
                                    <a href="https://blogs.vmware.com/security/author/blog-editor" rel="author" class="author">Editorial Staff</a>
                            </span>
                <time class="updated" datetime="2022-10-06" pubdate>October 6, 2022</time>
        <span class="read-time">7 min read</span>
    </div>    </div>
  </div>
</article>
        </div>
          </div>
  </div>
  </article>

<!-- MODAL PLACEHOLDER FOR VIDEO -->
<div class="modal fade" id="videoModal" tabindex="-1" role="dialog" aria-labelledby="exampleModalLabel" aria-hidden="true">
  <div class="modal-dialog" role="document">
    <div class="modal-content">
      <div class="modal-header">
        <h2 id="title"></h2>
        <button type="button" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body">
        <div class="embed-responsive embed-responsive-16by9">
          <iframe id="featuredVideo" class="embed-responsive-item" src="" frameborder="0" allowfullscreen></iframe>
        </div>
        <div id="brightcove"></div>
      </div>
    </div>
  </div>
</div>
        </main><!-- /.main -->
      </div><!-- /.content -->
    </div><!-- /.wrap -->
    <footer class="content-info">
  <div id="page-footer"></div>
</footer>
<div class="personalization_div_1" style="min-height: 1px;"></div><div class="personalization_div_2" style="min-height: 1px;"></div><script type='text/javascript' src='https://blogs.vmware.com/security/wp-content/themes/vmware-security-0.2.2/dist/scripts/main-77d5692421.js?ver=1656457644' id='sage/js-js'></script>
<button style="display:none;" id="ot-sdk-btn" class="ot-sdk-show-settings"> Cookie Settings</button>
    <script src="https://www.vmware.com/bin/vmware/template/scrapercontent.us.js" type="text/javascript" charset="UTF-8"></script>
    <script src="https://www.vmware.com/content/dam/vmwaredesigns/scrapercontent/responsive.js" type="text/javascript" charset="UTF-8"></script>
  <script type="text/javascript"  src="/tVVLjLS-37/K1pInWQk/XJ/b7Q7zmVhO1/YEZIU28/eDdE/a3wXFgAC"></script></body>
</html>
<!-- Dynamic page generated in 1.252 seconds. -->
<!-- Cached page generated by WP-Super-Cache on 2022-10-17 16:56:01 -->

<!-- Compression = gzip -->